Our Security and Privacy Practices
Trust is one of JNCTN’s key pillars. Excellent security and privacy practices are crucial to build trust, and we strive to achieve this by continuously training people, developing sound processes and integrating security and privacy into our products from the ground up.
We take privacy extremely seriously. We only collect personal information we need, protect it carefully during its lifecycle, process it for what has been approved and discard it when it’s not required anymore. Our platform privacy statement and website privacy statement give more details about data and rights.
Our platform is designed to offer excellent privacy for individuals, putting them in control of their data, what they are sharing and with whom.
Data is always encrypted at rest and in transit. JNCTN accounts can be protected with multi-factor authentication (MFA). Access is monitored 24/7 and any suspicious activity is investigated promptly.
Our platform offers role-based access control (RBAC), giving granularity and allowing organisations to implement key security principles, such as the principle of least-privilege.
The JNCTN platform is cloud-only, built as code, and designed to be secured from the ground up using serverless technology, in line with the Microsoft Azure Well-Architected Framework. All resources in our infrastructure are protected and monitored by Microsoft’s tools, such as Azure Defender.
Access controls are paramount in cloud-based environments. We use dedicated accounts protected with phishing-resistant multi-factor authentication (MFA) to access the production environments. We also have additional controls to secure access, such as conditional access, rate-limiting, and other risk indicators.
JNCTN implements encryption in transport (HTTPS using TLS1.2+) and at rest for all data (typically AES-based), using strong encryption and disabling all deprecated protocols to always ensure the strongest protection possible.
All actions are logged and evaluated by Azure’s security tools. Our security operations centre (SOC) monitors our environments 24/7 and any suspicious activity will be immediately triaged and investigated.
Serices run from multiple locations to ensure high-availability and redundancy in case of a failure. Data is stored on redundant storage, in redundant locations, and is backed up regularly. It is only stored in SOC 2 compliant Azure data centres.
JNCTN leverages the power of Microsoft Azure to ensure elevated levels of security and redundancy. We use firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing or storing data.
All operations staff use workstations secured using Microsoft advanced threat protection, with remote access controlled by MFA, conditional access, and Privileged Identity Management (PIM). They can securely monitor and maintain the environment 24/7, from any location.
JNCTN can operate in a decentralized fashion, with all staff able to securely work from home or another office, as and when required. We have tested business continuity plans to cover the top scenarios such as infrastructure outages, natural disasters, etc.
We continuously monitor our code, infrastructure and services for known vulnerabilities. We also run 3rd party independent penetration tests at least every 12 months. This allows us to stay ahead and continue to improve our platform security. We also encourage responsible disclosure. We take all reports extremely seriously and will endeavor to fix reported issues promptly.
Our DevOps teams adhere to our Secure Systems Development Life Cycle (SSDLC), ensuring that security is incorporated from the inception of a new project and continued throughout the entire life of the system. Our Secure SDLC promotes good practices such as OWASP and aims to offer rapid feedback with automation of security tests. All changes must go through our change control, quality assurance processes, and pass our security checks, before being deployed to production environments.
JNCTN is striving to meet and exceed industry and government good practices.
For example, we follow the requirements of Azure Security Benchmarks (Technology), OWASP (Development) and ISO/IEC 27001:2013 (Governance and Compliance).
We meet the requirements of the New Zealand Privacy Act 2020 and other relevant NZ Laws. We also abide by the European General Data Protection Regulation (GDPR).
JNCTN is also following advice and guidance from the relevant government agencies such as New Zealand’s CERT and National Cyber Security Centre (NCSC), US Cybersecurity & Infrastructure Security Agency (CISA) and UK National Cyber Security Centre (NCSC)